CVE-2026-24445

High

Published: 27 February 2026

Published

27 February 2026

Modified

05 March 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0010 28.1th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized…

access.

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AC-7 Unsuccessful Logon Attempts

addresses: CWE-307

This control directly enforces limits on consecutive invalid logon attempts and automatic response (e.g., lockout) to prevent brute-force exploitation of authentication mechanisms.

IA-10 Adaptive Authentication

addresses: CWE-307

Specific conditions can include excessive failed attempts, triggering stronger authentication that restricts brute-force exploitation.

Security SummaryAI

CVE-2026-24445, published on 2026-02-27, is a vulnerability in the WebSocket Application Programming Interface stemming from a lack of restrictions on the number of authentication requests, with no rate limiting implemented. This issue, classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts), affects systems handling charger telemetry, as indicated by references to ev.energy and CISA's ICS advisory. The CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) highlights its high severity, primarily due to the potential for significant availability disruption without requiring privileges or user interaction.

Unauthenticated attackers with network access can exploit this vulnerability by flooding the interface with excessive authentication requests. This enables denial-of-service attacks that suppress or mis-route legitimate charger telemetry data, disrupting operational visibility and control. Attackers could also leverage the absence of rate limiting for brute-force attacks, potentially gaining unauthorized access to the affected WebSocket interface.

CISA's ICS Advisory ICSA-26-057-07, detailed at https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-07 and in CSAF format at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-07.json, provides guidance on mitigations, with additional vendor information available at https://www.ev.energy/en-us.

Details

CWE(s): CWE-307

Affected Products

ev.energy

all versions

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access

Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.

attack.mitre.org →

T1499 Endpoint Denial of Service Impact

Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.

attack.mitre.org →

Why these techniques?

Lack of rate limiting on WebSocket auth requests directly enables brute-force credential access (T1110) and resource-exhaustion DoS (T1499) against the public-facing interface.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-07.json
Third Party Advisory · ics-cert@hq.dhs.gov
https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-07
Third Party Advisory, US Government Resource · ics-cert@hq.dhs.gov
https://www.ev.energy/en-us
Product · ics-cert@hq.dhs.gov